incident response

Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

Ideally, incident response activities are conducted by the organization's computer security incident response team (CSIRT), a group that has been previously selected to include information security and general IT staff as well as C-suite level members. The team may also include representatives from the legal, human resources and public relations departments. The CSIRT response should comply with the organization's incident response plan (IRP), a set of written instructions that outline the organization's response to a cyberattack.

Importance of incident response

Any incident that is not properly contained and handled can -- and usually will -- escalate into a bigger problem that can ultimately lead to a damaging data breach or system collapse. Responding to an incident quickly will help an organization minimize losses, mitigate exploited vulnerabilities, restore services and processes, and reduce the risks that future incidents pose.

Incident response enables an organization to be prepared for the unknown as well as the known and is a reliable method for identifying a security incident immediately when it occurs. Incident response also allows an organization to establish a series of best practices to stop an intrusion before it causes damage.

Incident response plan

An IRP should include procedures for detecting, responding to and limiting the effects of a data security breach.

An incident response plan can benefit an enterprise by outlining how to minimize the duration of and damage from a security incident, identifying participating stakeholders, streamlining forensic analysis, hastening recovery time, reducing negative publicity and ultimately increasing the confidence of corporate executives, owners and shareholders.

The plan should identify and describe the roles and responsibilities of the incident response team members who are responsible for testing the plan and putting it into action. The plan should also specify the tools, technologies and physical resources that must be in place to recover breached information.

Who is responsible for incident response?

To properly prepare for and address incidents across the business, an organization should form a CSIRT. This team is responsible for analyzing security breaches and responding appropriately. An incident response team may include:

An incident response manager, usually the director of IT, who oversees and prioritizes actions during the detection, analysis and containment of an incident. The incident response manager also conveys the special requirements of high-severity incidents to the rest of the organization.

Security analysts who support the manager and work directly with the affected network to research the time, location and details of an incident. Triage analysts filter out false positives and keep an eye out for potential intrusions. Forensic analysts recover key artifacts (residue left behind that can provide clues about an intruder) as well as maintain the integrity of evidence and the investigation.

Threat researchers that provide threat intelligence and context for an incident. They scour the internet and identify information that may have been reported externally. Threat researchers combine this data with an organization's records of previous incidents to build and maintain a database of internal intelligence.

Management support is key to securing the necessary resources, funding, staff and time commitment for incident response planning and execution. Many incident response teams include the chief information security office (CISO) or some other C-suite executive, who acts as a champion and leader for the group.

The incident response team may also include a human resources representative, especially if the investigation reveals that an employee is involved with an incident; audit and risk management specialists can develop vulnerability assessments and threat metrics and also encourage best practices across the organization.

Including the organization's general council can ensure that the collected evidence maintains its forensic value in case the organization decides to take legal action; attorneys also provide advice about liability issues when an incident affects vendors, customers and/or the general public. Finally, public relations specialists can help keep in touch with team leaders and ensure accurate information is disseminated to stockholders and the media.

Join the conversation

2 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please create a username to comment.

I strongly disagree with the "new" definition of this term, incident response. This was coined quite a long time ago to refer to actions taken in response to any incident that disrupted company operations. It might refer to a supplier failure, a reputation incident (malfeasance/crime by a corporate officer, for example), a fire, an earthquake, or any kind of incident that disrupts organization operations. Of course any kind of security breach, whether physical or cyber, would also require an Incident Response. Limitation of this term to a cyber incident is illogical and will introduce confusion among those who do not have deep industry experience. Each type of interruption incident will require an incident response, not just a cyber incident.